Hi,
I discovered a bug in sprintf()'s argument swapping code. It accepts an
argument number of zero, which is invalid. It is handled in different
ways in different libcs, but i figured the best way to handle it in PHP
was to make the functioncall fail. Patch is attached.
Best regards,
Morten
PS. Thanks to mbn for whining :-)
diff -ur php-4.1.2.orig/ext/standard/formatted_print.c php-4.1.2/ext/standard/formatted_print.c
--- php-4.1.2.orig/ext/standard/formatted_print.c Fri Mar 15 16:33:12 2002
+++ php-4.1.2/ext/standard/formatted_print.c Fri Mar 15 17:12:29 2002
@@ -479,7 +479,12 @@
temppos = inpos;
while (isdigit((int)format[temppos])) temppos++;
if (format[temppos] == '$') {
- argnum = php_sprintf_getnumber(format, &inpos);
+ if ((argnum = php_sprintf_getnumber(format, &inpos)) == 0) {
+ efree(result);
+ efree(args);
+ php_error(E_WARNING, "%s(): zero is not a valid argument number", get_active_function_name(TSRMLS_C));
+ return NULL;
+ }
inpos++; /* skip the '$' */
} else {
argnum = currarg++;
diff -ur php-4.1.2.orig/tests/strings/002.phpt php-4.1.2/tests/strings/002.phpt
--- php-4.1.2.orig/tests/strings/002.phpt Fri Mar 15 16:33:13 2002
+++ php-4.1.2/tests/strings/002.phpt Fri Mar 15 17:10:28 2002
@@ -38,6 +38,7 @@
printf("printf test 27:%3\$d %d %d\n", 1, 2, 3);
printf("printf test 28:%2\$02d %1\$2d\n", 1, 2);
printf("printf test 29:%2\$-2d %1\$2d\n", 1, 2);
+print("printf test 30:"); printf("%0\$s"); print("x\n");
?>
--EXPECT--
@@ -72,3 +73,4 @@
printf test 27:3 1 2
printf test 28:02 1
printf test 29:2 1
+printf test 30:x
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
